Arbitrary code execution in Irssi - CVE-2016-7045
Published: September 22, 2016 / Updated: September 23, 2016
Vulnerability identifier: #VU633
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2016-7045
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Irssi.org
Affected software:
Irssi
Irssi
Detailed vulnerability description
The vulnerability allows a remote user to cause arbitrary code execution on the target system.
The weakness exists due to input validation error. Having tricked the victim into loading specially crafted file attackers can invoke a buffer overflow in unformat_24bit_color() and execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
The weakness exists due to input validation error. Having tricked the victim into loading specially crafted file attackers can invoke a buffer overflow in unformat_24bit_color() and execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
How to mitigate CVE-2016-7045
Update to 0.8.20.